itb-au logo
Story image

Aura Infosec discovers major Mozilla Firefox vulnerability

10 Apr 2019

A security consultant at trans-Tasman cybersecurity consultancy, Aura Information Security, is behind the discovery of a major vulnerability in popular web browser Mozilla Firefox that had the potential to expose millions of people’s private online images and documents.

Alex Nikolova, who is based out of Aura’s Wellington office, made the discovery whilst conducting a research project on the same-origin policy of various web browsers, and immediately reported it to Mozilla, who fixed the issue within days.

Alex discovered a bug that had the potential to allow hackers to access user’s images and documents stored in image format, without being detected.

“Usually when a user visits one site, for example, mypics.example, web browsers are supposed to prevent another site, say evil.example, from being able to request information from mypics.example using the user's login session on mypics.example. This is called a "same-origin policy" and it dictates how browsers should behave when it comes to cross-site requests. 

“This bug essentially prevents this same-origin policy from working and allows attackers to easily access private images (which should be accessible only to a logged in user) on any site accessed via Firefox, e.g. Facebook, Instagram, online banking, or even government sites which may store their documents in image file format.

“The image can be anything: from a scanned document to a QR code used for two-factor authentication, and can be in any format (e.g. png, jpg, svg),” she says.

The vulnerability was apparent and exploitable in Firefox (version 65.0) and while it was also present in Google Chrome, Nikolova says that it was never exploitable in the latter, making it a medium-level threat.

Aura general manager Peter Bailey says Alex’s find is just one example of the research coming out of New Zealand and Australia.

“We’re incredibly proud of Alex, research like this is a huge part of what we do at Aura as it encourages our team to be a part of the solution – rather than simply fighting fires or responding to attacks when they’ve already occurred.

“The cybersecurity talent in New Zealand and Australia is world-class, and Alex’s find is just one example of the incredible research coming out of our small but very important corner of the world,” says Bailey.

Aura Information Security sets aside up to 20% of consultants’ time per week for research-based projects.

The company’s consultants have been asked to present research findings at leading InfoSec events all over the world.

Talking about what drives her work and her passion for the industry, Alex notes that while discoveries like this help, it’s the constant evolution of the threat landscape that really thrills her.

“I see it as a puzzle to be solved, to learn how the criminal thinks and always stay one step ahead of them. It ties my love of technical stuff and coding, together with my interest in criminal psychological profiling.

“In my job, I have to get into the attacker's shoes, try to think like them. I'm always looking forward to being presented with the open question of ‘how do you go about owning every possible aspect of that infrastructure’ every time I start a new job.”

Her final advice to all businesses is: “Patch. Keep yourself up-to-date, all the time. Vulnerabilities come out every day and those who want to exploit your data don't need longer than that.”

Story image
Next.js React framework updated to deliver modern web experience
Vercel developed the updated Next.js version in collaboration with more than 1300 open source contributors, as well as partners including Facebook and Google.More
Link image
Counting the cost of COVID - how to improve process efficiencies
Find out how to rank and prioritise processes for digitisation efforts, and why you should strategically leverage a tool for restoring operations.More
Story image
blueAPACHE extends HPE strategic partnership with IaaS platform offering
"HPE technology has underpinned our emPOWER Cloud since launching in 2010, and I am very excited about the capabilities that our renewed partnership will bring moving forward.”More
Link image
Enterprises' data generation efficiency creates 'data gravity' problem
Enterprises are now data powerhouses, but they risk crumbling under the weight of 'data gravity'. But what is data gravity, and how do you break free? Find out more here.More
Story image
How 'data gravity' centres can spell trouble for enterprises
In the not-too-distant past, data was created in a much more centralised place, and users and systems had far less access to it. Now, with digital data from social, analytics, mobile, cloud, IoT and more being created with both simultaneity and omnipresence, so much information is being collected that it’s forming a ‘centre of gravity’.More
Story image
FreedomFi launches 5G gateway based on open source software
The x86 network appliance enables users to build a private LTE or 5G network, through the use of small cell radios and open source software.More